Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Similar documents
BusinessObjects 4.0 Windows AD Single Sign on Configuration

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

Setting up Single Sign-On (SSO) with SAP HANA and SAP BusinessObjects XI 4.0

UPGRADING TO XI 3.1 SP6 AND SINGLE SIGN ON. Chad Watson Sr. Business Intelligence Developer

Configure the Application Server User Account on the Domain Server

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

KERBEROS ENVIRONMENT SETUP FOR EMC DOCUMENTUM CENTERSTAGE

Kerberos and Windows SSO Guide Jahia EE v6.1

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

Single Sign-On Using SPNEGO

How-to: Single Sign-On

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

BusinessObjects Enterprise XI Release 2

Configuring Single Sign-on for SAP HANA

Configuring Active Directory Manual Authentication and SSO for BI4

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Configuring Integrated Windows Authentication for IBM WebSphere with SAS 9.2 Web Applications

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

EMC Documentum Kerberos SSO Authentication

Comodo Certificate Manager Software Version 4.5

Security Provider Integration Kerberos Authentication

CA Business Intelligence

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Using LifeSize systems with Microsoft Office Communications Server Server Setup

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Single Sign On (SSO) solution for BMC Remedy Action Request System

Integrating LANGuardian with Active Directory

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

TopEase Single Sign On Windows AD

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

1 Introduction. Windows Server & Client and Active Directory.

Configuring Sponsor Authentication

HP Device Manager 4.6

HP Device Manager 4.7

SAS 9.3 Foundation for Microsoft Windows

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

SAP Business Objects Security

Security Provider Integration Kerberos Server

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Creating Home Directories for Windows and Macintosh Computers

pcanywhere Advanced Configuration Guide

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

PineApp Surf-SeCure Quick

Moving the TRITON Reporting Databases

Using LifeSize Systems with Microsoft Office Communications Server 2007

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

Configuring IBM Cognos Controller 8 to use Single Sign- On

Dell Compellent Storage Center

Crystal Reports Installation Guide

Domain Controller Failover When Using Active Directory

Use Enterprise SSO as the Credential Server for Protected Sites

Installation and Configuration Guide

Crystal Server Upgrade Guide SAP Crystal Server 2013

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Video Administration Backup and Restore Procedures

Integrating OID with Active Directory and WNA

Installation manual SAP BusinessObjects BI4.0

Guide to SASL, GSSAPI & Kerberos v.6.0

Aventail Connect Client with Smart Tunneling

TIBCO ActiveMatrix BPM Single Sign-On

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Kerberos Delegation with SAS 9.4

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Integration Package for Microsoft Office SharePoint3

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

Active Directory integration with CloudByte ElastiStor

Siteminder Integration Guide

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

Using Active Directory as your Solaris Authentication Source

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Laserfiche Web Access 8 and Kerberos Configuration in a Windows Server 2008 and IIS 7 Environment. White Paper

HRSWEB ActiveDirectory How-To

System Area Management Software Tool Tip: Integrating into NetIQ AppManager

Multi-factor Authentication using Radius

Owner of the content within this article is Written by Marc Grote

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

NT Authentication Configuration Guide

NSi Mobile Installation Guide. Version 6.2

Configuring Single Sign-On for Documentum Applications with RSA Access Manager Product Suite. Abstract

Enabling single sign-on for Cognos 8/10 with Active Directory

Migrating MSDE to Microsoft SQL 2008 R2 Express

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Security Assertion Markup Language (SAML) Site Manager Setup

CIFS Permissions Best Practices Nasuni Corporation Natick, MA

PingFederate. IWA Integration Kit. User Guide. Version 3.0

SSO Plugin. J System Solutions. Troubleshooting SSO Plugin - BMC AR System & Mid Tier.

SINGLE SIGN-ON FOR MTWEB

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Creating a User Profile for Outlook 2013

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

QUANTIFY INSTALLATION GUIDE

RoomWizard Synchronization Software Manual Installation Instructions

Transcription:

Technical White Paper Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter For the Windows Operation System Software Version 9.40 Table of Contents Introduction... 2 Goal... 2 Overview... 2 Configuring AD Authentication for SHR... 3 Setting Up a Service Account... 3 Configuring Grants for the Service Account... 4 Registering Service Principle Name (SPN)... 5 Configuring SIA to Use the Service Account... 5 Configuring the AD Plug-in... 6 Configuring Tomcat web.xml File... 9 Configuring bsclogin.conf and Krb5.ini files... 9 Configuring Tomcat Java Option... 10 Configuring SHR Administration Console for AD Authentication... 12 References... 13

Introduction This document aims at providing the steps to configure Microsoft Windows Active Directory (AD) authentication for SAP BusinessObjects (BO or BOBJ) using Kerberos that provides role based security for users to access HP Service Health Reporter (SHR) reports, universes and the Administration Console. Note: This document is applicable for HP Service Health Reporter 9.3x and 9.40. Goal In your IT environment, if users are already using AD authentication it can be extended to access the SHR content. Overview Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications. It uses secret-key cryptography where a user authenticates into an authentication server that creates a ticket. This ticket is sent to the application that recognizes the ticket and the user is granted access. Acronyms used in this document: Acronym SHRBOSERVER ADSERVER ADBO_USER BOBJCMS/SHRBOSERVER Expanded form BusinessObjects server installed along SHR Active Directory server configured to integrate the users or groups with SHR BOBJ Repository Windows AD Service Account used to run BOBJ services Service Principle Name (SPN) to run BOBJ services using domain user account To configure Microsoft Windows AD authentication for SHR BusinessObjects using Kerberos, follow these steps: 1. Setting Up a Service Account 2. Configuring Grants for the Service Account 3. Registering Service Principle Name (SPN) 4. Configuring SIA to Use the Service Account 5. Configuring the AD Plug-in 6. Configuring Tomcat web.xml File 7. Configuring bsclogin.conf and Krb5.ini files 8. Configuring Tomcat Java Option 9. Configuring SHR Administration Console for AD Authentication

Configuring AD Authentication for SHR Setting Up a Service Account To configure BusinessObjects using Kerberos and Windows AD authentication, you must have a service account (domain account) that is trusted for delegation. You can either use an existing service account or create a new service account. The service account is used to run the BusinessObjects Enterprise servers. To set up a service account, follow these steps: 1. Create a new AD service account (ADBO_USER) on the domain controller or use an existing account. 2. Select Password never expires. If the password expires, then the functionality dependent on that account will fail. 3. Select the AD service account, right-click and select Properties. The Properties window appears. 4. From the Delegation tab, click Trust this user for delegation to any service (Kerberos only) and then click OK to close the Properties window. Note: If the Delegation tab does not appear, then complete the Registering Service Principle Name (SPN) steps and continue with Step 4 of Setting Up a Service Account.

Configuring Grants for the Service Account To support AD authentication, enable the service account to act as part of the operating system and log on as a service. This must be done on SHR BusinessObjects server (example: SHRBOSERVER) where the Server Intelligence Agent service is running. To configure the grants for service account, follow these steps: 1. Go to Start > Administrative Tools > Local Security Policy. 2. In Local Policies, click User Rights Assignment. 3. Double-click Act as a part of Operating System and click Add User or Group. The user account (ADBO_USER) that is trusted for delegation is added. 4. Click OK. 5. Double-click Logon as a service, click Add, and then click Add User or Group. The user account that is trusted for delegation is added. 6. Click OK.

To add service account to the Administrators Group, follow these steps: 1. On the SHRBOSERVER machine, right-click My Computer, and then click Manage. 2. Go to Configuration > Local Users > Groups > Groups. 3. Right-click Administrator and then click Add to Group. 4. Click Add and type the logon name for the service account. 5. Click Check Names to ensure the account resolves. 6. Click OK and then click OK again. Registering Service Principle Name (SPN) BOBJ services use the Kerberos protocol for mutual authentication in a network, you must create a Service Principal Name (SPN) for the BOBJ services to run as a domain user account. The SETSPN utility is a program that manages the SPN for service accounts in Active Directory System. To register Service Principle Name (SPN), follow these steps: 1. Run the following utility with required parameters on command line window : setspn A BOBJCMS /<HOSTNAME> <serviceaccount> Where, <HOSTNAME> is a qualified domain name of the machine running the Content Management System (CMS) service, i.e. SHRBOSERVER Host name, for example SHRBOSERVER.XYZ.com. Where, <serviceaccount> is the name of the CMS service account. In this case, the <serviceaccount> is ADBO_USER. Example: setspn A BOBJCMS /SHRBOSERVER.XYZ.com ADBO_USER 2. On successful registration of SPN, the screen displays the following message: Registering ServicePrincipalNames for CN=ServiceCMS, CN=Users, DC=DOMAIN, DC=COM BOBJCentralMS/HOSTNAME.DOMAIN.COM Updated object To list the set of registered SPNs, run the following command: setspn L ADBO_USER Configuring SIA to Use the Service Account In order to support Kerberos, Server Intelligence Agent (SIA) must be configured in Central Configuration Manager (CCM) to log on as the service account. To configure a Server Intelligence Agent on SHRBOSERVER, follow these steps: 1. Start the CCM. 2. Stop the Server Intelligence Agent. 3. Double-click the Server Intelligence Agent. The Server Intelligence Agent Properties dialog box appears. 4. In the Properties tab:

i. In the Log On As, uncheck System Account check box. ii. Type the user name and password for the service account. iii. Click Apply, and then click OK. 5. Restart the Server Intelligence Agent. Configuring the AD Plug-in To use Kerberos authentication, you have to configure the Windows AD security plug-in in the Central Management Console (CMC). To configure the Windows AD security plug-in for Kerberos, follow these steps: 1. In CMC, go to the Authentication management page and click the Windows AD tab. 2. Select Enable Windows Active Directory check box. 3. In the AD Configuration Summary, click the link next to AD Administration Name. 4. Enter the credentials to read access to AD in the Name and Password textbox. Note: Use the format Domain\Account in the Name field. Example: XYZ\ADBO_USER. 5. Enter the default domain in the Default AD Domain text box. Note: Use FQDN format and enter the domain in uppercase.

Example: XYZ.COM. 6. In Mapped AD Member Groups, type the name of the domain or group in the ADD AD Group (Domain\Group) text box, and then click Add. Mapped AD Member Groups: If a group is in the default domain it can be added with just the group name. If it is in another domain then it requires to be added in domain/group format or DomainName (DN) format. Click Update and the groups will appear as shown in the above figure (secwinad: DN) regardless of how they were entered (group, domain/group, or DN). To add all users from the default domain, specify Domain Users as the group name. 7. In Authentication Options, click Use Kerberos authentication. For manual AD or AD SSO, Authentication Options Kerberos must be selected. 8. In the Service principal name text box, type the account and domain of the service account or the SPN mapping to the service account. For example, BOBJCMS/SHRBOSERVER.XYZ.COM. The Service Principal Name must be the value created for the service account that runs the SIA or CMS using SETSPN. For more details, see Registering Service Principle Name (SPN). Ensure that there are no mistakes or white spaces before or after the SPN. 9. Select Enable Single Sign On for selected authentication mode (not required for manual AD authentication). 10. New User Alias Options:

New Alias Options determine how the user will be created if there is an existing user with the same name (LDAP or NT or Enterprise). Alias Update Options determine if users will be added when clicking the update button or only after they have logged into CMC or client tools. New User Options should be determined by your licensing options that can be viewed in CMC or license keys. Click New Users are created as concurrent users as it is a supported option for BO license within SHR. 11. In Attribute Binding Options, select Import Full Name and Email Address and Give AD attribute binding priority over LDAP attribute binding 12. In the On-demand AD Update, select Update AD Group Graph and Aliases now and click Update. On successful update of AD plug-in users or groups are synchronized with the BO repository. Verify if users or groups are added by going to CMC or users and groups.

Configuring Tomcat web.xml File To enable manual AD login, you have to configure Tomcat web.xml file for InfoView and CMC. The Authentication dropdown in the InfoView and CMC login page is hidden by default. To enable the dropdown box, follow these steps: 1. Open the file %PMDB_HOME%/BOWebServer/webapps/InfoViewApp/WEB-INF/web.xml. 2. Set the authentication.visible flag to True. 3. Set the authentication.default to secwinad. 4. Save the changes. Configuring bsclogin.conf and Krb5.ini files To configure bsclogin.conf and Krb5.ini files, follow these steps: The two files bsclogin.conf and Krb5.ini should be created under the c:\winnt folder on the SHR server. Note: The file names are case-sensitive. a. Create the bsclogin.conf file bsclogin.conf is used to load the Java Login Module and trace log on requests. Create this file using the following code: com.businessobjects.security.jgss.initiate { com.sun.security.auth.module.krb5loginmodule required debug=true; }; b. Create the Krb5.ini file

Krb5.ini is used to configure the KDC s (Kerberos Key Distribution Center also known as domain controllers) that will be used for the Java log on requests. c. Copy the default Krb5.ini and edit the following: [libdefaults] default_realm = MYDOMAIN.COM dns_lookup_kdc = true dns_lookup_realm = true default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac udp_preference_limit = 1 [realms] MYDOMAIN.COM = { kdc = DCHOSTNAME.MYDOMAIN.COM default_domain = MYDOMAIN.COM } The highlighted parameters in the above code should to be modified as the following: a. Replace MYDOMAIN.COM with the same domain of your service account. All DOMAIN information must be in uppercase. b. The default_realm value must exactly match the default domain value entered into the top of the AD page in the CMC. c. Replace MYDCHOSTNAME with the hostname of a domain controller. For example, DCHOSTNAME is ADSERVER.DC4SHR.XYZ.COM. Configuring Tomcat Java Option To configure Tomcat java options, follow these steps: 1. Stop the Tomcat service on SHR server. 2. Go to Start > Programs >Tomcat >Tomcat Configuration. 3. Enter the following to Java options in the Java tab : -Djava.security.auth.login.config=c:\winnt\bscLogin.conf -Djava.security.krb5.conf=c:\winnt\Krb5.ini

4. Restart the Tomcat service. Tomcat configuration changes for SHR 9.40 To make the Tomcat configuration changes for SHR 9.40, follow these steps: 1. Right-click on Tomcat Configuration program in Programs menu. 2. Click on Properties. 3. Modify the path in Target. Replace //ES//BOE120Tomcat7 with //ES//BOE120Tomcat. 4. Follow Step 1 of Configuring Tomcat Java Option. Note: Once the AD users login to SHR Infoview page, based on the user roles you can provide them the permissions to access the SHR folders, universes and connections. This access will help the users to refresh SHR reports.

For more details on how to create report User Accounts and Groups and Access Level Restrictions, see SHR - Managing User Accounts and Groups using the following URL: https://hpln.hp.com/node/19476/attachment Configuring SHR Administration Console for AD Authentication AD authentication for SHR Administration Console is supported for versions SHR 9.31 onwards. Ensure that SHR is upgraded to SHR 9.31 or later version before you follow these steps: 1. Make the following changes to %PMDB_HOME%/data/config.prp: I. Set bo.authtype=secwinad II. Add the following lines of code to specify the location of the files bsclogin.conf and Krb5.ini: java.security.auth.login.config=<absolute path of bsclogin.conf file> java.security.krb5.conf=<absolute path of Krb5.ini file> Example: java.security.krb5.conf=c\:\\winnt\\krb5.ini java.security.auth.login.config=c\:\\winnt\\bsclogin.conf 2. Enter the following command in packagemgrsilent.ini file located at %PMDB_HOME%/config/startup: jargs=-xmx256m -Dbsmr.home={bsmr.home} -DDPIPE_HOME={bsmr.home} - Dpmdb.home={bsmr.home} -Djava.security.auth.login.config=<absolute path of bsclogin.conf file > -Djava.security.krb5.conf=<absolute path of Krb5.ini file> 3. Restart the SHR_PMDB_Platform_Administrator service.

References http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/40f4abf5-4d67-2e10-e48b- 8db2cac73f8c?QuickLink=index&overridelayout=true&50968377367535

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information